Lawyers Get Creative to Circumvent HIPAA’s Lack of a ‘Private Right’

Patients may not have the right to sue covered entities for violations of HIPAA, but their attorneys are finding other laws, mostly at the state level, that allow patients to seek retribution after data breaches or other issues. And many of them have been successful.

“One thing we often hear from folks is, ‘There’s no private cause of action under HIPAA, so my concerns are somewhat lifted because I know no one can pursue [that] against me,’” which has been consistently held in case law. But “that hasn’t stopped…individuals from pursuing covered entities for data breaches,” said George Breen, a Washington, D.C., attorney for Epstein Becker Green, during a Sept. 8 webinar sponsored by the firm.

In a recent example, Health Net notified almost 2 million of its members that their information was breached when storage devices maintained by IBM went missing (RPP 5/11, p. 1). The insurer made the announcement in early March, and by March 22, a class-action suit had been filed on behalf of current and former members in federal court in California, Breen said. It is seeking injunctive relief and $5 million in damages for violating California’s Confidentiality of Medical Information Act.

“In this case, what you see is the emphasis being placed on the HIPAA obligation to comply with reporting of the data breach. Now, even though there’s no private cause of action [under HIPAA], in this situation you’re defending a class-action suit of a violation of a similar state statute,” Breen explained.

In some instances, piggyback lawsuits are resulting because of the attention the original cases are getting in the news. For example, Breen said, a man applying to Anthem Blue Cross of California filed a suit against the company in March 2010 because he saw that his application could be accessed on the company’s website along with those of other prospective members. That case was settled in August, but because of the attention it received, the Indiana Attorney General’s office sued WellPoint (Anthem’s parent company), alleging that it had breached Indiana’s data breach protection laws (RPP 8/11, p. 12).

So “new litigation venues [are] opening up given this increased emphasis on HIPAA and privacy and data protection,” according to Breen.

A recent case in Missouri is using an older tactic by trying to use HIPAA to establish a standard of care, a notion on which court decisions “across the country have differed,” said Breen. In I.S. v. The Washington University, the plaintiff charges disclosure of confidential medical information to the plaintiff’s employer without her authorization. She was being treated for colon cancer and asked the provider to send information on those treatments to her employer for medical leave purposes. Instead, the provider sent her entire medical record, including HIV status, mental health issues and insomnia treatments.

This case is attempting to use a “negligence per se claim,” which means “you had the duty to protect this info under HIPAA, and you didn’t so you are liable,” Breen explained.

The U.S. District Court for the Eastern District of Missouri recently allowed the Missouri case to proceed “on the theory that she could at least argue that HIPAA sets forth a standard of care by which entities are required to comply,” said Breen. “So I think you need to take from that the fact that cases like that will become more common as well where individuals are effectively trying to jump over the ‘no private cause of action hurdle’ that HIPAA provides us with, and use other and more creative ways to try to sue covered entities.”

There have been other good examples of these cases in recent years. One is Acosta v. Byrum, says San Francisco attorney Reece Hirsch, a partner at Morgan, Lewis & Bockius. Heather Acosta was a patient and an employee of Psychiatric Associates. She alleged that her employer improperly shared his medical record access code with the office manager, allowing the office manager to obtain the plaintiff’s psychiatric and other health care records, which were shared with third parties without her authorization. Acosta alleged that, by providing the office manager with the access code, her employer had violated certain rules and regulations established by the health system, the hospital and HIPAA. She also alleged negligent infliction of emotional distress (RPP 2/07, p. 5).

A ‘Back Door’ Private Right Exists

“In determining that there was a cause of action for negligent infliction of emotional distress, the appellate court [in North Carolina] said HIPAA was evidence of an appropriate standard of care, which is part of demonstrating negligence,” says Hirsch. “So this is sort of a back-door private right of action.”

Another good example is Sorensen v. Barbuto in Utah. Nicholas Sorensen was in a car accident and was treated by John Barbuto, M.D. Sorensen filed a personal injury claim against the driver’s insurance company. While the trial was postponed, the physician had ex parte communications with the attorneys for the insurance company. Sorenson filed suit against Barbuto, saying the communications were a breach of the physician’s duty of confidentiality (RPP 4/08, p. 8).

The case is similar in the way the plaintiff used HIPAA as a standard of care, Hirsch explains. Barbuto was no longer Sorensen’s physician when the ex parte communications took place, he adds. “He made the ex parte statement to defense counsel that contradicted the patient’s testimony.”

The doctor argued that his statements to the attorneys were permitted under Utah’s Rules of Evidence because Sorenson had placed his physical condition at issue in the personal injury suit, so his health information was no longer protected by the physician-patient evidentiary privilege. But the court said that while those rules provide an exception to the physician-patient privilege, the exception “does not thereby vitiate the entirety of the physician’s duty of confidentiality.”

HIPAA violations in private lawsuits brought by patients have historically been tossed out, Rebecca Fayed, of the Washington, D.C., office of SNR Denton, tells RPP. “We were fearful a few years ago that they were going to try to use negligence claims that there was a duty to comply with HIPAA, which is scary because there would be damages. We’ve seen a few of those cases….It’s a way of getting around HIPAA, but Congress did not intend for it to be used that way,” she says. “With HITECH, Congress reiterated its lack of intent to put [a private cause of action] in HIPAA.” The power HITECH gave to attorneys general “is the closest we’re ever going to see. It’s never going to be modified, so lawyers are looking for more creative ways.”

Fayed says private lawsuits using state laws will be much more successful. “Under some state constitutions, there is a broad right to privacy” unlike at the federal level, she says. State-level lawsuits against CEs are free to use consumer protection laws, financial information privacy laws, medical information privacy laws and state privacy breach notification laws.

“I would say that in 99% of cases, they are looking creatively under state privacy laws. Sometimes they’re successful, and sometimes not. It depends on how the state law is written and what the facts are.”

Fayed admits that she’s up on her soapbox about this issue and contends that many of the suits are frivolous. “In a good percentage of OCR complaints, there is no violation,” she points out. “People are just mad….The problem in this situation is that people don’t always understand what the law says: ‘You, Provider A, who referred me to Provider B, never should have disclosed my test results to Provider B.’ It’s crazy.”

The suits at the state level can be fairly successful as long as the plaintiffs can demonstrate damage, she says, and many of the cases are being settled.

Investigations Can Sometimes Backfire

If a data breach does occur, the covered entity needs to keep in mind that its own investigation and documentation of the outcome could be used against it in one of these suits, Breen pointed out.

“As you are reacting to a breach, you need to recognize what you are likely doing with the documents you are creating [to notify] folks and conduct an investigation. You are creating Exhibit 1, 2, etc. in a potential lawsuit. And you need to…act cautiously as you’re reacting and you’re conducting your investigation because the paper you are creating and the message you are sending is going to be used as these investigations and as the litigation proceeds,” he said.